[Opendnssec-develop] [Fwd: [DNSOP] Changing NSEC3 salts regularly is useless]
jerry at opendnssec.org
Fri Jul 25 05:52:18 UTC 2014
-------- Forwarded Message --------
> From: Mark Andrews <marka at isc.org>
> To: dnsop at ietf.org <dnsop at ietf.org>
> Subject: [DNSOP] Changing NSEC3 salts regularly is useless
> Date: Fri, 25 Jul 2014 00:02:09 +0200
> I just sent the following to bind-users. We need to kill the myth
> that changing NSEC3 salt provides any real benefit.
> "Actually it is useless to change the salt regularly. Changing the
> salt provides no real benefit against discovering the names in a
> zone which is the reason people were saying to change the salt.
> The attacker uses cached NSEC3 records. When it gets a cache miss
> it asks the servers for the zone, puts the answer in the cache and
> continues. When the salt changes it just maintains multiple nsec3
> chains eventually discarding the old nsec3 chain eventually. I
> would wait until the new NSEC3 chain has as many cached records as
> the old NSEC3 chain. Changing the salt slows things up miniminally
> for a very short period of time after the change. Additionally
> once you have some names you ask for those names for a non-exisisting
> type to quickly pull in part of the new NSEC3 chain you know exists.
> The only reason to change the salt is if you have a collision of
> the hashed names. This will be a very very very rare event."
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> DNSOP mailing list
> DNSOP at ietf.org
Jerry Lundström - OpenDNSSEC Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 643 bytes
Desc: This is a digitally signed message part
More information about the Opendnssec-develop